<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <link rel="stylesheet" href="docgen-resources/docgen.css" type="text/css">
  <meta name="generator" content="FreeMarker Docgen (DocBook 5)">
  <title>
    FreeMarker Manual - 2.3.19
  </title>
    <script type="text/javascript" src="docgen-resources/jquery.js"></script>
    <script type="text/javascript" src="docgen-resources/linktargetmarker.js"></script>
</head>
<body>

    <div class="navigation">
    <div class="breadcrumb">
<span class="breadcrumb">        You are here:
          <a href="index.html">Book</a>
            <b>></b>
          <a href="app.html">Appendixes</a>
            <b>></b>
          <a href="app_versions.html">Versions</a>
            <b>></b>
          2.3.19
</span>    </div>
    <div class="bookmarks">
<span class="bookmarks">Bookmarks:
<a href="alphaidx.html">Alpha. index</a>, <a href="gloss.html">Glossary</a>, <a href="dgui_template_exp.html#exp_cheatsheet">Expressions</a>, <a href="ref_builtins_alphaidx.html">?builtins</a>, <a href="ref_directive_alphaidx.html">#directives</a>, <a href="ref_specvar.html">.spec_vars</a>, <a href="app_faq.html">FAQ</a>, <a href="api/index.html">API</a>, <a href="../index.html">Home</a></span>    </div>
    <div class="pagers">
      <div class="pagersVerticalSpacer"><img src="docgen-resources/img/none.gif" width="1" height="1" alt="" hspace="0" vspace="0" border="0"/></div>
<div class="pagerButton"><a href="versions_2_3_18.html"><span class="hideA">Next page: </span>2.3.18</a></div><div class="pagerButton"><a href="versions_2_3_20.html">Previous page</a></div><div class="pagerButton"><a href="app_versions.html">Parent page</a></div><div class="pagerButton"><a href="index.html">Contents</a></div>      <div class="pagersVerticalSpacer"><img src="docgen-resources/img/none.gif" width="1" height="1" alt="" hspace="0" vspace="0" border="0"/></div>
    </div>
    </div>

<div id="mainContent">

  
  
  
  
  <h1 class="rank_section1"
        id="pageTopTitle">
<a name="versions_2_3_19"></a>2.3.19  </h1>
    
    <div class="toc">
      <p>
        <b>
            Page Contents
        </b>
      </p>
      
  <ul class="noMargin">
      <li style="padding-bottom: 0.5em"><i><a href="#docgen_afterTheTOC">Intro.</a></i></li>
      <li>
        <a href="#autoid_137">Changes on the FTL side</a>
      </li>
      <li>
        <a href="#autoid_138">Changes on the Java side</a>
      </li>
  </ul>
    </div>
    <a name="docgen_afterTheTOC"></a>
    
<p>Date of release: 2012-02-29</p><p>Don't miss the <a href="#v2319secfix">security related
        changes</a>, they may affect your application!</p>
            
  
  
  
  <h2 class="rank_section2"
        >
<a name="autoid_137"></a>Changes on the FTL side  </h2>


              <div class="itemizedlist">
<ul>
            <li>
              <p><i>Attention</i>: The output of <a href="ref_builtins_date.html#ref_builtin_date_iso">ISO 8601 date/time formatting
              built-ins</a>, introduced in 2.3.17, was slightly changed.
              From now on, the time zone offset, when it's displayed and it
              isn't <tt style="color: #A03D10">Z</tt>, always includes the minutes. For
              example, <tt style="color: #A03D10">15:30:15+02</tt> becomes to
              <tt style="color: #A03D10">15:30:15+02:00</tt> in the template output. Both
              formats are valid according to ISO 8601 (so anything that
              expects ISO 8601 date/times should continue working), but only
              the last format complies with the XML Schema date/time formats,
              hence this change.</p>
            </li>

            <li>
              <p>New built-in for escaping inside JSON string literals:
              <a href="ref_builtins_string.html#ref_builtin_json_string"><tt>json_string</tt></a>.</p>
            </li>

            <li>
              <p>Bugfix: Wrong <tt style="color: #A03D10">#</tt> tags were printed as
              static text instead of causing parsing error if there was no
              correct <tt style="color: #A03D10">#</tt> tag earlier in the same template.
              Since fixing this would not be 100% backward compatible, the old
              behavior has remained, unless you set the
              <tt style="color: #A03D10">incompatible_enhancements</tt> setting
              (<tt style="color: #A03D10">Configuration.setIncompatibleEnhancements(String)</tt>)
              to <tt style="color: #A03D10">&quot;2.3.19&quot;</tt> or higher.</p>
            </li>
          </ul>    </div>

        
            
  
  
  
  <h2 class="rank_section2"
        >
<a name="autoid_138"></a>Changes on the Java side  </h2>


              <div class="itemizedlist">
<ul>
            <li>
              <p><a name="v2319secfix"></a><i>Attention</i>: This
              release contains two important security workarounds that
              unavoidably make it obvious how some applications can be
              exploited. <i>FreeMarker can't solve these issues on all
              configurations, so please read the details instead of just
              updating FreeMarker!</i> Also, these changes are not 100%
              backward compatible in theory, however it's not probable that
              they will break anything. The two changes are:</p>

                  <div class="itemizedlist">
<ul>
                <li>
                  <p>The character with character code 0
                  (<tt style="color: #A03D10">\u0000</tt>) is not allowed in template paths
                  anymore. When a path contains it, FreeMarker behaves as if
                  the template was not found.</p>

                  <p>This is to fix the security problem where a template
                  path like <tt style="color: #A03D10">&quot;secret.txt\u0000.ftl&quot;</tt> is used
                  to bypass extension filtering in an application. FreeMarker
                  itself doesn't care about the extension, but some
                  applications decide based on the extension if they will
                  delegate a path to FreeMarker. When they do with such a
                  path, the C/C++ implementation behind the storage mechanism
                  may sees the path as <tt style="color: #A03D10">&quot;secret.txt&quot;</tt> as the
                  0 terminates the string in C/C++, and thus load a non-FTL
                  file as a template, returning the file contents to the
                  attacker.</p>

                  <p>Note that some HTTP servers, notably Tomcat and the
                  Apache HTTP Server blocks URL-s where the URL contains 0
                  (<tt style="color: #A03D10">%00</tt>) outside the query string, thus this
                  wasn't exploitable there through such Web URL-s. Some other
                  HTTP servers however, like Jetty, doesn't block such
                  URL-s.</p>
                </li>

                <li>
                  <p><tt style="color: #A03D10">ClassTemplateLoader</tt>, when it's
                  created with base path <tt style="color: #A03D10">&quot;/&quot;</tt> (like with
                  <tt style="color: #A03D10">new ClassTemplateLoader(someClass, &quot;/&quot;)</tt>),
                  will not allow template paths that contain colon earlier
                  than any <tt style="color: #A03D10">/</tt>, and will act like if the
                  template was not found in such case.</p>

                  <p>This is to fix the security problem where a template
                  path like <tt style="color: #A03D10">&quot;file:/etc/secret&quot;</tt> or
                  <tt style="color: #A03D10">&quot;http://example.com/malware.ftl&quot;</tt> is
                  interpreted as a full URL by a
                  <tt style="color: #A03D10">java.net.URLClassLoader</tt> in the
                  class-loader hierarchy, and thus allow loading files from
                  these URL-s as templates. This is a quirk (or bug) of
                  <tt style="color: #A03D10">java.net.URLClassLoader</tt>, thus this
                  problem only exists on systems that use such
                  class-loaders.</p>

                  <p>Beware, some frameworks use their own
                  <tt style="color: #A03D10">TemplateLoader</tt> implementations, and if
                  those are vulnerable, they will remain so after updating
                  FreeMarker too! Note that this exploit only works if the
                  class-loader hierarchy contains an
                  <tt style="color: #A03D10">URLClassLoader</tt> and the class-loader is
                  used to load templates without adding any prefix before the
                  template path (other than <tt style="color: #A03D10">&quot;/&quot;</tt>).</p>
                </li>
              </ul>    </div>


              <p>These security issues mostly only affect applications
              <i>where the user (the visitor) can supply arbitrary
              template paths to the application</i>. This is not the
              case with properly built MVC applications, as there only the MVC
              Controller can be addressed directly, and it's the Controller
              that specifies the template paths. But legacy MVC applications
              based on <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">JSP
              Model-2</a> often expose the MVC Views as public URL-s ending
              with <tt style="color: #A03D10">.ftl</tt>, thus allowing the user to give
              arbitrary paths to FreeMarker. Such applications should be
              secured with a <tt style="color: #A03D10">security-constratint</tt> in
              <tt style="color: #A03D10">web.xml</tt> as shown in the <a href="pgui_misc_servlet.html#pgui_misc_servlet_model2">related Manual
              section</a>. This should be done regardless of the current
              security fixes.</p>

              <p>In general, you should not allow users to specify
              arbitrary template paths, or if you do allow that, you should be
              extra careful with the <tt style="color: #A03D10">TemplateLoader</tt>
              used.</p>
            </li>

            <li>
              <p><tt style="color: #A03D10">Configuration</tt> has new methods:
              <tt style="color: #A03D10">removeTemplateFromCache(...)</tt>. This will
              remove the given template for the given locale from the cache,
              so it will be re-loaded regardless of the template update delay
              when it's next time requested.</p>
            </li>

            <li>
              <p><tt style="color: #A03D10">BeansWrapper</tt> ignores setter methods
              from now when introspecting classes. They weren't used anyway,
              so they unnecessarily caused
              &quot;<tt style="color: #A03D10">java.beans.IntrospectionException</tt>: type
              mismatch between read and write methods&quot; errors.</p>
            </li>

            <li>
              <p><tt style="color: #A03D10">TemplateClassResolver.SAFER_RESOLVER</tt>
              now disallows creating
              <tt style="color: #A03D10">freemarker.template.utility.JythonRuntime</tt> and
              <tt style="color: #A03D10">freemarker.template.utility.Execute</tt>. This
              change affects the behavior of the <a href="ref_builtins_expert.html#ref_builtin_new"><tt>new</tt> built-in</a>
              if FreeMarker was configured to use
              <tt style="color: #A03D10">SAFER_RESOLVER</tt>, which is not the default
              until 2.4 and is hence improbable.</p>
            </li>

            <li>
              <p>Bug fixed: Calling varargs methods now indeed works.
              (Earlier it only worked for overloaded methods.)</p>
            </li>

            <li>
              <p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=1837697&amp;group_id=794&amp;atid=100794">[1837697]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=2831150&amp;group_id=794&amp;atid=100794">[2831150]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3039096&amp;group_id=794&amp;atid=100794">[3039096]</a>
              <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3165425&amp;group_id=794&amp;atid=100794">[3165425]</a>:
              Jython support now works with Jython 2.2 and 2.5.</p>
            </li>

            <li>
              <p>Bug fixed <a href="https://sourceforge.net/tracker/index.php?func=detail&amp;aid=3325103&amp;group_id=794&amp;atid=100794">[3325103]</a>:
              <tt style="color: #A03D10">TemplateException</tt>-s and
              <tt style="color: #A03D10">ParseException</tt>-s are now serializable.</p>
            </li>
          </ul>    </div>

          
</div>

    <div class="navigation">
    <div class="pagers">
      <div class="pagersVerticalSpacer"><img src="docgen-resources/img/none.gif" width="1" height="1" alt="" hspace="0" vspace="0" border="0"/></div>
<div class="pagerButton"><a href="versions_2_3_18.html"><span class="hideA">Next page: </span>2.3.18</a></div><div class="pagerButton"><a href="versions_2_3_20.html">Previous page</a></div><div class="pagerButton"><a href="app_versions.html">Parent page</a></div><div class="pagerButton"><a href="index.html">Contents</a></div>      <div class="pagersVerticalSpacer"><img src="docgen-resources/img/none.gif" width="1" height="1" alt="" hspace="0" vspace="0" border="0"/></div>
    </div>
    <div class="breadcrumb">
<span class="breadcrumb">        You are here:
          <a href="index.html">Book</a>
            <b>></b>
          <a href="app.html">Appendixes</a>
            <b>></b>
          <a href="app_versions.html">Versions</a>
            <b>></b>
          2.3.19
</span>    </div>
    </div>

<table border=0 cellspacing=0 cellpadding=0 width="100%">
    <tr>
      <td colspan=2><img src="docgen-resources/img/none.gif" width=1 height=8 alt=""></td>
    <tr>
      <td align="left" valign="top"><span class="smallFooter">
            FreeMarker Manual -- For FreeMarker 2.3.20
            <br>
          HTML generated: 2013-06-27 20:54:33 GMT
      </span></td>
      <td align="right" valign="top"><span class="smallFooter">
          <a href="http://www.xmlmind.com/xmleditor/">
            <img src="docgen-resources/img/xxe.gif" alt="Edited with XMLMind XML Editor">
          </a>
      </span></td>
    </tr>
</table>
  <!-- Put pre-loaded images here: -->
  <div style="display: none">
    <img src="docgen-resources/img/linktargetmarker.gif" alt="Here!" />
  </div>
</body>
</html>

